Information Technology Department
Policy Document
Key Management& Card Data Encryption Policy Page 1
Key Management& Card Data Encryption Policy
Document Summary
Item
Value
Organization
Information Dynamics
Document Name
Key Management & Card Data Encryption Policy
Classification
Internal
Compliance Reference To:
ISO 27001:2013, PCI DSS
Document Revision History
Date
Version
Prepared By
01 November 2018
1.1
Information Dynamics
29
th
December 2019
1.2
Information Dynamics
24
th
December 2020
1.3
Chandrasekar
Document Review History
Reviewed By
Date
Signature
Shibin
30
th
December 2019
Shibin
26
th
December 2020
Information Technology Department
Policy Document
Key Management& Card Data Encryption Policy Page 2
1. Scope
This policy document addresses Information Dynamics key management requirements and credit
card data encryption.
ISO 27001:2013 Reference
A.10.1.1
Policy on the use of cryptographic controls
A.10.1.2
Key management
2. Policy
Credit Card data whenever it occurs in conjunction with PAN must be encrypted. This is
applicable to all data stored including data on database, portable digital media, backup
media, in logs, and data received from or stored by wireless networks.
Encryption of card data will be carried out using Symmetric Key Encryption: AES 256
bits, or 3DES 128 bits with associated Key management procedures Asymmetric Key
Encryption: RSA 2048 Bits, Deffie Hellman 2048 Bits, El Gamal 2048 Bits
The MINIMUM account information that must be rendered unreadable is the PAN.
Encryption Keys will be stored in a location separate from the encrypted data.
Cardholder data on removable media will be encrypted wherever stored.
Native File System disk encryption will not be used to encrypt credit card data.
Encryption keys used for encryption of cardholder data will be protected against both
disclosure and misuse by:
Restricting access to keys to the fewest number of custodians necessary
Secure storage of keys in the fewest possible locations and forms
Key management processes and procedures for keys used for encryption of cardholder
data will be documented and implemented for:
Generation of strong keys-Key generation process and logic with description.
Secure key distribution- How the keys are distributed securely.
Secure key storage- Storage location of Key (Application path or Database)
Periodic key changes- Define the cryptoperiod of Keys.
Destruction of old keys- Secure Deletion method of keys.
Information Technology Department
Policy Document
Key Management& Card Data Encryption Policy Page 3
Split knowledge and establishment of dual control of keys (so that it requires two
or three people, each knowing only their part of the key, to reconstruct the whole
key- Signed Key custodian forms needs to be provided for each user
(template for key custodian form attached in mail).
Prevention of unauthorized substitution of keys
Replacement of known or suspected compromised keys- Replacement
procedure in case of end of cryptoperiod or key compromise.
Revocation of old or invalid keys (For RSA Keys only) - process of revocation
of keys.
Requirement for key custodians to sign a form stating that they understand and accept
their key-custodian responsibilities-Signed Key custodian forms needs to be
provided for each user (template for key custodian form attached in mail).